5
2013 FTI Consulting/Corporate Board Member Survey: –Data security and IT risk is one of the most significant legal issues in 2013 for over 550 Directors and General Counsel surveyed The percentage of Directors and GCs concerned about data security has doubled since 2008 –Trend continued from 2012 Survey –The median annualized cost of a cyber-crime per company averaged $8.9 million Denial of service, malicious insider and external attacks all up –The survey noted participants' opinion that cyber risks are invisible, ever-changing, pervasive and costly Data Security: On the Corporate Radar?

6
Directors and GCs both identify data security as the number 2 issue that keeps them up at night – close on the heels of succession/leadership transitions, but of much greater concern than operational effectiveness or M&A transactions Cyber risk cited by both directors and GCs as an issue on which the board will be spending considerable time this year Only a third of GCs felt "very confident" in their company's ability to respond to a breach Less than a quarter of directors agreed… FTI Consulting Survey By the Numbers

9
Major finding: Majority of corporate executives surveyed (258) were more concerned about cyber threats than about other major business risks –85% very or somewhat concerned about cyber risk to their organization –Other responses: Loss of income – 82% Property damage – 80% Securities and investment risk – 76% AIG Survey – February 2013

10
More than 2 out of 3 (69%) executives and brokers believe that the reputational risk from a cyber attack is far greater to a company than the financial risk. More than 7 in 10 (75%) executives and brokers say legal compliance issues are making companies think more about cyber risks. The vast majority of brokers and executives (82%) believe hackers are the primary source of cyber threats, though a significant portion of those surveyed (71%) also perceive human error as a significant component of cyber risk. AIG Survey – February 2013 (cont'd)

13
Corporation Finance guidance issued October 13, 2011 Cyber attacks: –Target theft of financial assets, intellectual property, other sensitive information –Customer or business partner data could be implicated –Objectives could include disrupting business obligations Disclosure if cyber-risks "are among the most significant factors that make an investment in the company speculative or risky" –Consider frequency of prior incidents and probability and potential harm of future incidents –"Specify how each risk affects the registrant" SEC Cybersecurity Guidance

14
At least 21 Dow 30 companies discussed cybersecurity or data breaches in their 2011 Form 10-K risk factor disclosures. Many were also drawing comments from the SEC and were required to add information or otherwise revise disclosures SEC Guidance on Cybersecurity Disclosures

15
In 2012, following hack of Amazon's Zappos servers, SEC asked Amazon to "expand [cybersecurity] risk factor to disclose that you have experienced cyber-attacks and breaches" and "to describe [risks of] third-party technology and systems." SEC had disagreed with Amazon's view that hack was not significant enough to be covered by SEC Cybersecurity Guidance Google, AIG, Hartford Financial Services Group, Eastman Chemical and Quest Diagnostics were also asked by SEC in 2012 to expand cybersecurity disclosures. What if your company did no risk assessment, made no disclosure and then experienced a material breach? Problem – it's no longer "if", but "when" SEC Cyber-Comment Letters

16
The "cyber threat is one of the most serious economic and national security challenges we face as a nation…America's economic prosperity in the 21 st century will depend on cybersecurity." (President Obama) Cyber-attacks against Google (attributed to China) a "wake-up call" about the vulnerabilities that could cripple the U.S. economy. (Dennis Blair, former Director of National Intelligence) "[The] Government Accountability Office has reported that over the last five years, cyber-attacks against the United States are up 650 percent. The threat is real. (Sen. John McCain, Feb. 16, 2012) US Government Perspective on Cybersecurity

18
Legislative efforts have failed – White House drafted Executive Order in late September 2012 Improving Critical Infrastructure Cybersecurity – signed by President Obama on February 12, 2013 Purpose stated in Section 12: "Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront." Executive Order on Cybersecurity

22
Limited coverage under traditional policies may be available Specialized cyber coverage available as a stand-alone policy –First and third party coverage available Types of coverage include: –Loss/corruption of data –Business interruption –Cyber Extortion –Crisis Management Cybersecurity and Insurance

24
Types of coverage include: –Identity theft –Social media/networking –Liability Breach of privacy due to theft of data Transmission of computer virus or other liability resulting from a computer attack which causes financial loss to third parties Failure of security which causes network systems to be unavailable to third parties Allegations of copyright infringement or trademark or other "media" activities online. Cybersecurity and Insurance (con'td)

25
Can I buy insurance for that? YES! Coverage varies but the typical available coverages are: –Third Party Computer Forensics Services to determine the scope of a failure of Network Security –Complying with Privacy Regulations –Notifying individuals whose Personal Information has been disclosed –Retaining public relations firm, crisis management firm or law firm for advertising or related communications –Retaining a law firm to determine any indemnification rights with an independent contractor –Creditor monitoring services Data Breach Insurance

26
Almost all D&O insurance policies have a "privacy" exclusion –Buried in the Bodily Injury/Property Damage exclusion Most D&O insurance policies also have a Professional Services Exclusion –Large gap in coverage Coverage can possibly be modified – but not easily –Takes more than just a simple endorsement D&O Insurance and Privacy

27
There are separate D&O Cyber Insurance policies that companies can purchase to protect the Board –Number of carriers offer a broad range of different products These policies are new and untested –Buyer beware! Many of the terms and conditions can be less favorable than the existing D&O policy –In order to fill gaps, must be done carefully D&O Insurance and D&O Cyber Insurance

31
Member Boston JD, Boston University MS, Boston University BA, University of Massachusetts Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP) Represents companies in information, communications, and technology, including e-commerce and other electronic transactions Extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions Conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise Frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies Cynthia J. Larose

32
All information contained herein is proprietary to Mintz Levin and considered confidential. This document presents general information about Mintz Levin and is not intended as legal advice, and it should not be considered or relied upon as such. Questions?